Crypt-LE-0.38/script/le.pl

22 …  my $opt = { logger => Log::Log4perl->get_logger(), e => encode_args(), error => parse_config() };
24     if (my $rv = work($opt)) {
25         $opt->{logger}->error($rv->{'msg'}) if $rv->{'msg'};
32     my $opt = shift;
33     my $rv = parse_options($opt);
36     $opt->{'api'} = 2 unless (defined $opt->{'api'} or $opt->{'server'} or $opt->{'directory'});
39 	dir => $opt->{'directory'},
40 	server => $opt->{'server'},
41 	live => $opt->{'live'},
42 	version => $opt->{'api'}||0,
43 	debug => $opt->{'debug'},
44 	logger => $opt->{'logger'},
47     if (-r $opt->{'key'}) {
48         $opt->{'logger'}->info("Loading an account key from $opt->{'key'}");
49 …$le->load_account_key($opt->{'key'}) == OK or return $opt->{'error'}->("Could not load an account …
51         $opt->{'logger'}->info("Generating a new account key");
52 …$le->generate_account_key == OK or return $opt->{'error'}->("Could not generate an account key: " …
53         $opt->{'logger'}->info("Saving generated account key into $opt->{'key'}");
54 …return $opt->{'error'}->("Failed to save an account key file", 'ACCOUNT_KEY_SAVE') if _write($opt-…
57     if ($opt->{'update-contacts'}) {
59         my $reg = _register($le, $opt);
61 …my @contacts = (lc($opt->{'update-contacts'}) eq 'none') ? () : grep { $_ } split /\s*\,\s*/, $opt…
69 …return $opt->{'error'}->("Unknown format for the contacts: " . join(", ", @rejected), 'CONTACTS_FO…
70 …return $opt->{'error'}->("Could not update contact details: " . $le->error_details, 'CONTACTS_UPDA…
71         $opt->{'logger'}->info("Contact details have been updated.");
75     if ($opt->{'revoke'}) {
76         my $crt = _read($opt->{'crt'});
77 …return $opt->{'error'}->("Could not read the certificate file.", 'CERTIFICATE_FILE_READ') unless $…
82         my $reg = _register($le, $opt);
86             $opt->{'logger'}->info("Certificate has been revoked.");
88             $opt->{'logger'}->info("Certificate has been ALREADY revoked.");
90 …return $opt->{'error'}->("Problem with revoking certificate: " . $le->error_details, 'CERTIFICATE_…
95     if ($opt->{'domains'}) {
96         if ($opt->{'e'}) {
97 …$opt->{'logger'}->warn("Could not encode arguments, support for internationalized domain names may…
99             my @domains = grep { $_ } split /\s*\,\s*/, $opt->{'domains'};
100             $opt->{'domains'} = join ",", map { _puny($_) } @domains;
103     if (-r $opt->{'csr'}) {
104         $opt->{'logger'}->info("Loading a CSR from $opt->{'csr'}");
105 …$le->load_csr($opt->{'csr'}, $opt->{'domains'}) == OK or return $opt->{'error'}->("Could not load …
106 …opt->{'error'}->("For multi-webroot path usage, the amount of paths given should match the amount …
108         if ($opt->{'csr-key'} and -e $opt->{'csr-key'}) {
109 …turn $opt->{'error'}->("Could not load existing CSR key from $opt->{'csr-key'} - " . $le->error_de…
112         $opt->{'logger'}->info("Generating a new CSR for domains $opt->{'domains'}");
113         if (-e $opt->{'csr-key'}) {
115 …turn $opt->{'error'}->("Could not load existing CSR key from $opt->{'csr-key'} - " . $le->error_de…
116              $opt->{'logger'}->info("New CSR will be based on '$opt->{'csr-key'}' key");
118              $opt->{'logger'}->info("New CSR will be based on a generated key");
120 …my ($type, $attr) = $opt->{'curve'} ? (KEY_ECC, $opt->{'curve'}) : (KEY_RSA, $opt->{'legacy'} ? 20…
121 …$le->generate_csr($opt->{'domains'}, $type, $attr) == OK or return $opt->{'error'}->("Could not ge…
122         $opt->{'logger'}->info("Saving a new CSR into $opt->{'csr'}");
123         return "Failed to save a CSR" if _write($opt->{'csr'}, $le->csr);
124         unless (-e $opt->{'csr-key'}) {
125             $opt->{'logger'}->info("Saving a new CSR key into $opt->{'csr-key'}");
126 …return $opt->{'error'}->("Failed to save a CSR key", 'CSR_SAVE') if _write($opt->{'csr-key'}, $le-…
128 …opt->{'error'}->("For multi-webroot path usage, the amount of paths given should match the amount …
131     return if $opt->{'generate-only'};
133     if ($opt->{'renew'}) {
134         if ($opt->{'crt'} and -r $opt->{'crt'}) {
135             $opt->{'logger'}->info("Checking certificate for expiration (local file).");
136             $opt->{'expires'} = $le->check_expiration($opt->{'crt'});
137 …$opt->{'logger'}->warn("Problem checking existing certificate file.") unless (defined $opt->{'expi…
139         unless (defined $opt->{'expires'}) {
140             $opt->{'logger'}->info("Checking certificate for expiration (website connection).");
141             if ($opt->{'renew-check'}) {
142                 $opt->{'logger'}->info("Checking $opt->{'renew-check'}");
143                 $opt->{'expires'} = $le->check_expiration("https://$opt->{'renew-check'}/");
150                    $opt->{'logger'}->info("Checking $domain");
151                    $opt->{'expires'} = $le->check_expiration("https://$domain/");
152                    last if (defined $opt->{'expires'});
156 …return $opt->{'error'}->("Could not get the certificate expiration value, cannot renew.", 'EXPIRAT…
157         if ($opt->{'expires'} > $opt->{'renew'}) {
160 …   $opt->{'logger'}->info("Too early for renewal, certificate expires in $opt->{'expires'} days.");
161             return $opt->{'error'}->("", 'EXPIRATION_EARLY');
163 …opt->{'logger'}->info("Expiration threshold set at $opt->{'renew'} days, the certificate " . ($opt…
166     if ($opt->{'email'}) {
167 …return $opt->{'error'}->($le->error_details, 'EMAIL_SET') if $le->set_account_email($opt->{'email'…
171     my $reg = _register($le, $opt);
175 …my %callback_data = map { $_ => $opt->{$_} } grep { ! ref $opt->{$_} or ref $opt->{$_} eq 'HASH' }…
178 …my $new_crt_status = ($opt->{'server'} or $opt->{'directory'}) ? AUTH_ERROR : $le->request_certifi…
180         $opt->{'logger'}->info("Received domain certificate, no validation required at this time.");
183 …return $opt->{'error'}->("Error requesting certificate: " . $le->error_details, 'CERTIFICATE_GET')…
185         my ($challenge_handler, $verification_handler) = ($opt->{'handler'}, $opt->{'handler'});
186         if (!$opt->{'handler'}) {
187             if ($opt->{'handle-as'}) {
188 …opt->{'error'}->("Only 'http' and 'dns' can be handled internally, use external modules for other …
195 …     return $opt->{'error'}->($le->error_details, 'CHALLENGE_REQUEST') if $le->request_challenge();
196 …n $opt->{'error'}->($le->error_details, 'CHALLENGE_ACCEPT') if $le->accept_challenge($challenge_ha…
199         return { code => $opt->{'issue-code'}||0 } if $opt->{'delayed'};
202         return $opt->{'error'}->($le->error_details, 'NONCE_REFRESH') unless $le->new_nonce();
203 …opt->{'error'}->($le->error_details, 'CHALLENGE_VERIFY') if $le->verify_challenge($verification_ha…
206         $opt->{'logger'}->info("Requesting domain certificate.");
207 … return $opt->{'error'}->($le->error_details, 'CERTIFICATE_REQUEST') if $le->request_certificate();
212     if ($opt->{'alternative'}) {
213         $opt->{'logger'}->info("Requesting alternative certificates.");
214 …return $opt->{'logger'}->error($le->error_details, 'CERTIFICATE_REQUEST') if $le->request_alternat…
215         if (my $alternative = $le->alternative_certificate($opt->{'alternative'} - 1)) {
218 …return $opt->{'error'}->("There is no alternative certificate #$opt->{'alternative'}.", 'CERTIFICA…
221         $opt->{'logger'}->info("Requesting issuer's certificate.");
224 …$opt->{'logger'}->error("Could not download an issuer's certificate, " . ($le->issuer_url ? "try t…
225 …        $opt->{'logger'}->warn("Will be saving the domain certificate alone, not the full chain.");
226 …return $opt->{'error'}->("Failed to save the domain certificate file", 'CERTIFICATE_SAVE') if _wri…
234         unless ($opt->{'legacy'}) {
235             $opt->{'logger'}->info("Saving the full certificate chain to $opt->{'crt'}.");
236 …return $opt->{'error'}->("Failed to save the domain certificate file", 'CERTIFICATE_SAVE') if _wri…
238             $opt->{'logger'}->info("Saving the domain certificate to $opt->{'crt'}.");
239 …return $opt->{'error'}->("Failed to save the domain certificate file", 'CERTIFICATE_SAVE') if _wri…
240             $opt->{'crt'}=~s/\.[^\.]+$//;
241             $opt->{'crt'}.='.ca';
242             $opt->{'logger'}->info("Saving the issuer's certificate to $opt->{'crt'}.");
243 …$opt->{'logger'}->error("Failed to save the issuer's certificate", 'CERTIFICATE_SAVE') if _write($…
246     if ($opt->{'export-pfx'}) {
250             my $target_pfx = $opt->{'crt'};
252             $opt->{'logger'}->info("Exporting certificate to $target_pfx.pfx.");
253 …opt->{'error'}->("Error exporting pfx: " . $le->error_details, 'CERTIFICATE_EXPORT') if $le->expor…
255 …return $opt->{'error'}->("Issuer's certificate is not available, skipping pfx export to avoid crea…
258     if ($opt->{'complete-handler'}) {
261 …certificate => $le->certificate, certificate_file => $opt->{'crt'}, key_file => $opt->{'csr-key'},…
262             domains => $le->domains, logger => $opt->{'logger'},
266             $rv = $opt->{'complete-handler'}->complete($data, \%callback_data);
269 …return $opt->{'error'}->("Completion handler " . ($@ ? "thrown an error: $@" : "did not return a t…
272 …opt->{'logger'}->info("===> NOTE: You have been using the test server for this certificate. To iss…
273     $opt->{'logger'}->info("The job is done, enjoy your certificate!\n");
274     return { code => $opt->{'issue-code'}||0 };
278     my $opt = shift;
281 …GetOptions ($opt, 'key=s', 'csr=s', 'csr-key=s', 'domains=s', 'path=s', 'crt=s', 'email=s', 'curve…
284         return $opt->{'error'}->("Use --help to see the usage examples.", 'PARAMETERS_PARSE');
286     if ($opt->{'config'}) {
287 …return $opt->{'error'}->("Configuration file '$opt->{'config'}' is not readable", 'PARAMETERS_PARS…
288         my $rv = parse_config($opt);
289         return $opt->{'error'}->("Configuration file error: $rv" , 'PARAMETERS_PARSE') if $rv;
292     usage_and_exit($opt) unless ($args and !$opt->{'help'});
293     my $rv = reconfigure_log($opt);
296     $opt->{'logger'}->info("[ Crypt::LE client v$VERSION started. ]");
300         if ($opt->{$url_type}) {
301 …return $opt->{'error'}->("Unsupported protocol for the custom $url_type URL: $1.", 'CUSTOM_' . uc(…
302             my $server = $opt->{$url_type}; # For logging.
303 …$opt->{'logger'}->warn("Remember to URL-escape special characters if you are using $url_type URL w…
304             $opt->{'logger'}->info("Custom $url_type URL 'https://$server' is used.");
305 …$opt->{'logger'}->warn("Note: '$url_type' setting takes over the 'server' one.") if $custom_server;
309 …  $opt->{'logger'}->warn("Note: 'live' option is ignored.") if ($opt->{'live'} and $custom_server);
311     if ($opt->{'renew-check'}) {
312 …$opt->{'error'}->("Unsupported protocol for the renew check URL: $1.", 'RENEW_CHECK_URL') if ($opt…
315 …return $opt->{'error'}->("Incorrect parameters - need account key file name specified.", 'ACCOUNT_…
316     if (-e $opt->{'key'}) {
317 …return $opt->{'error'}->("Account key file is not readable.", 'ACCOUNT_KEY_NOT_READABLE') unless (…
319 …return $opt->{'error'}->("Account key file is missing and the option to generate missing files is …
322     unless ($opt->{'crt'} or $opt->{'generate-only'} or $opt->{'update-contacts'}) {
323 …return $opt->{'error'}->("Please specify a file name for the certificate.", 'CERTIFICATE_FILENAME_…
326     if ($opt->{'export-pfx'}) {
327         if ($opt->{'crt'} and $opt->{'crt'}=~/\.pfx$/i) {
328 …return $opt->{'error'}->("Please ensure that the extension of the certificate filename is differen…
330 …unless ($opt->{'csr-key'} and (-r $opt->{'csr-key'} or ($opt->{'generate-missing'} and ! -e $opt->…
331 …return $opt->{'error'}->("Need either existing csr-key specified or having CSR file generated (via…
333     } elsif ($opt->{'tag-pfx'}) {
334         $opt->{'logger'}->warn("Option 'tag-pfx' makes no sense without 'export-pfx' - ignoring.");
337     if ($opt->{'revoke'}) {
338 …return $opt->{'error'}->("Need a certificate file for revoke to work.", 'NEED_CERTIFICATE_FOR_REVO…
339 …opt->{'error'}->("Need an account key - revoke assumes you had a registered account when got the c…
340     } elsif (!$opt->{'update-contacts'}) {
341 …return $opt->{'error'}->("Incorrect parameters - need CSR file name specified.", 'CSR_FILENAME_REQ…
342         if (-e $opt->{'csr'}) {
343 …return $opt->{'error'}->("CSR file is not readable.", 'CSR_NOT_READABLE') unless (-r $opt->{'csr'}…
345 …return $opt->{'error'}->("CSR file is missing and the option to generate missing files is not used…
346 …return $opt->{'error'}->("CSR file is missing and CSR-key file name is not specified.", 'CSR_MISSI…
347 …return $opt->{'error'}->("Domain list should be provided to generate a CSR.", 'DOMAINS_REQUIRED') …
350         if ($opt->{'path'}) {
352             foreach my $path (grep { $_ } split /\s*,\s*/, $opt->{'path'}) {
355 …return $opt->{'error'}->("Path to save challenge files into should be a writable directory for: " …
356         } elsif ($opt->{'unlink'}) {
357 …return $opt->{'error'}->("Unlink option will have no effect without --path.", 'UNLINK_WITHOUT_PATH…
360         $opt->{'handle-as'} = $opt->{'handle-as'} ? lc($opt->{'handle-as'}) : 'http';
362         if ($opt->{'handle-with'}) {
363             my $error = _load_mod($opt, 'handle-with', 'handler');
364 …return $opt->{'error'}->("Cannot use the module to handle challenges with - $error", 'CHALLENGE_MO…
365             my $method = 'handle_challenge_' . $opt->{'handle-as'};
366 …opt->{'error'}->("Module to handle challenges does not seem to support the challenge type of $opt-…
367             my $rv = _load_params($opt, 'handle-params');
371         if ($opt->{'complete-with'}) {
372             my $error = _load_mod($opt, 'complete-with', 'complete-handler');
373 …return $opt->{'error'}->("Cannot use the module to complete processing with - $error.", 'COMPLETIO…
374 …opt->{'error'}->("Module to complete processing with does not seem to support the required 'comple…
375             my $rv = _load_params($opt, 'complete-params');
427     my ($opt) = @_;
428     unless ($opt) {
433     if (my $config = _read($opt->{'config'})) {
457         my $debug = $opt->{'debug'};
459         $opt->{'error'} = sub {
478     my $opt = shift;
479     if ($opt->{'log-config'}) {
481             Log::Log4perl::init($opt->{'log-config'});
485 …return $opt->{'error'}->("Could not init logging with '$opt->{'log-config'}' file", 'LOGGER_INIT');
487         $opt->{logger} = Log::Log4perl->get_logger();
489     $opt->{logger}->level($ERROR) if $opt->{'quiet'};
494     my ($le, $opt) = @_;
495 …return $opt->{'error'}->("Could not load the resource directory: " . $le->error_details, 'RESOURCE…
496     $opt->{'logger'}->info("Registering the account key");
497     return $opt->{'error'}->($le->error_details, 'REGISTRATION') if $le->register;
499 …$opt->{'logger'}->info($le->new_registration ? "The key has been successfully registered. ID: $cur…
500 …$opt->{'logger'}->info("Make sure to check TOS at " . $le->tos) if ($le->tos_changed and $le->tos);
503 …$opt->{'logger'}->info("Current contact details: " . join(", ", map { s/^\w+://; $_ } (ref $contac…
519     my ($le, $opt) = @_;
520     if ($opt->{'path'} and my $domains = $le->domains) {
521         my @paths = grep {$_} split /\s*,\s*/, $opt->{'path'};
525                 $opt->{'multiroot'}->{$domains->[$i]} = $paths[$i];
533     my ($opt, $type, $handler) = @_;
534     return unless ($opt and $opt->{$type});
536         my $mod = $opt->{$type};
539             $opt->{$type} = "./$opt->{$type}" unless $opt->{$type}=~/^(\w+:|\.*[\/\\])/;
541         load $opt->{$type};
542         $opt->{$handler} = $mod->new();
552     my ($opt, $type) = @_;
553     return unless ($opt and $opt->{$type});
554     if ($opt->{$type}!~/[\{\[\}\]]/) {
555         $opt->{$type} = _read($opt->{$type});
556 …return $opt->{'error'}->("Could not read the file with '$type'.", 'FILE_READ') unless $opt->{$type…
560         $opt->{$type} = $j->decode($opt->{$type});
562     return ($@ or (ref $opt->{$type} ne 'HASH')) ?
563 …$opt->{'error'}->("Could not decode '$type'. Please make sure you are providing a valid JSON docum…
672     my $opt = shift;
674     if ($opt->{'help'}) {